8
Is there a way to detect what process is changing a file on Windows 7?
I know procmon is a great tool but couldn't figure it out how to do it or even if it's possible.
The problem is that I have a file that is changed by some application and I want to find out which one.
RaduM
Posted 2012-12-19T12:22:02.350
Reputation: 193
12
Both procexp and procmon are good for this. If the process holds a handle to the file in question then just run procexp and choose "Find Handle or DLL" from the Find menu then type in part of the file name you're searching for.
Alternatively (and as mentioned in the comments to the question), to use procmon to find, for example, a file called readme.txt open the filter dialog and set the filter as so:
Then press the Add button. Make sure there are no other processes that are excluded that might be touching your file.
Then start capturing events and sit back and wait.
shunty
Posted 2012-12-19T12:22:02.350
Reputation: 660
How can you tell that an event in procmon is a file modification event? I can see place where the file is opened and closed, but I can't see events that are clearly modifications to the file. – Omnifarious – 2013-01-29T02:15:10.200
In the README.txt case there appears to be a WriteFile operation. I don't think it's always that easy though as it will depend on how the application deals with writing - ie does it cache stuff or save writes until later etc etc. There's also a QueryBasicInformationFile operation which has LastAccess and LastWrite times. – shunty – 2013-01-29T10:52:15.993
@shunty: Ahh, there was so much file reading going on that the WriteFile operations were hidden in the noise. I captured the whole install process from beginning to end. So it doesn't matter if there was any caching or buffering, if a file was written to the event should be in there. – Omnifarious – 2013-01-29T18:27:58.540
Why can't you use the filter in ProcMon (just type in the name of the file)? – Dave – 2012-12-19T12:27:46.970